Filtering Unwanted Data Traffic via a Per-Customer Blacklist

1. A method for generating a customer blacklist associated with a customer system, comprising: generating, at a computer, a network blacklist comprising a first plurality of internet protocol addresses, the first plurality of internet protocol addresses identifying a plurality of unwanted traffic sources; generating a customer whitelist based on analyzing a customer historical usage pattern including traffic sources with repeatedly completed sessions and traffic sources with repeated initiated sessions, the customer whitelist comprising a second plurality of internet protocol addresses, the second plurality of internet protocol addresses identifying a plurality of wanted traffic sources; comparing each internet protocol address in the first plurality of internet protocol addresses with each internet protocol address in the second plurality of internet protocol addresses; and for each internet protocol address in the first plurality of internet protocol addresses: adding the internet protocol address to the customer blacklist if the internet protocol address is not in the second plurality of internet protocol addresses; and not adding the internet protocol address to the customer blacklist if the internet protocol address is in the second plurality of internet protocol addresses; wherein generating a network blacklist further comprises: acquiring a raw blacklist comprising a third plurality of internet protocol addresses identifying a third plurality of unwanted traffic sources; sorting the third plurality of internet protocol addresses according to prefix groups with a network-specified prefix length selected based on network-specified heuristics; rank ordering the prefix groups according to traffic frequency including number of connection attempts over a time interval; and selecting a set of top prefix groups based on the rank ordering for inclusion in the network blacklist.

2. The method of claim 1 , further comprising: monitoring a traffic flow from a traffic source identified by a source internet protocol address to the customer system, wherein the customer system is identified by a destination internet protocol address; comparing the source internet protocol address with the customer blacklist; blocking the traffic flow if the source internet protocol address is on the customer blacklist; and allowing the traffic flow if the source internet protocol address is not on the customer Blacklist.

3. The method of claim 2 , wherein blocking the traffic flow further comprises: blocking the traffic flow at a node.

4. The method of claim 1 , wherein acquiring a raw blacklist further comprises: accessing a reputation system.

5. The method of claim 1 , wherein generating a network blacklist further comprises: populating a filter table with the top prefix groups.

6. The method of claim 1 , wherein generating a network blacklist further comprises: acquiring a raw blacklist comprising a third plurality of internet protocol addresses identifying a third plurality of unwanted traffic sources; sorting the third plurality of internet protocol addresses according to prefix groups with a network-specified prefix length; analyzing traffic patterns within each prefix group generating prefix subgroups based at least on the prefix groups and the analyzed traffic patterns; rank ordering the prefix subgroups according to traffic frequency; and selecting the top network-specified prefix subgroups.

7. A non-transitory computer readable medium storing computer program instructions for generating a customer blacklist associated with a customer system, the computer instructions comprising: generating a network blacklist comprising a first plurality of internet protocol addresses, the first plurality of internet protocol addresses identifying a plurality of unwanted traffic sources; generating a customer whitelist based on analyzing a customer historical usage pattern including traffic sources with repeatedly completed sessions and traffic sources with repeated initiated sessions, the customer whitelist comprising a second plurality of internet protocol addresses, the second plurality of internet protocol addresses identifying a plurality of wanted traffic sources; comparing each internet protocol address in the first plurality of internet protocol addresses with each internet protocol address in the second plurality of internet protocol addresses; and for each internet protocol address in the first plurality of internet protocol addresses: adding the internet protocol address to the customer blacklist if the internet protocol address is not in the second plurality of internet protocol addresses; and not adding the internet protocol address to the customer blacklist if the internet protocol address is in the second plurality of internet protocol addresses; wherein generating a network blacklist further comprises: acquiring a raw blacklist comprising a third plurality of internet protocol addresses identifying a third plurality of unwanted traffic sources; sorting the third plurality of internet protocol addresses according to prefix groups with a network-specified prefix length selected based on network-specified heuristics; rank ordering the prefix groups according to traffic frequency including number of connection attempts over a time interval; and selecting a set of top prefix groups based on the rank ordering for inclusion in the network blacklist.

8. The non-transitory computer readable medium of claim 7 , wherein the computer instructions for generating a customer blacklist further comprises computer program instructions comprising: monitoring a traffic flow from a traffic source identified by a source internet protocol address to the customer system, wherein the customer system is identified by a destination internet protocol address; comparing the source internet protocol address with the customer blacklist; blocking the traffic flow if the source internet protocol address is on the customer blacklist; and allowing the traffic flow if the source internet protocol address is not on the customer Blacklist.

9. The non-transitory computer readable medium of claim 8 , wherein the computer program instructions defining the step of blocking the traffic flow further comprises computer programming instructions comprising: blocking the traffic flow at a node.

10. The non-transitory computer readable medium of claim 7 , wherein the computer program instructions defining the step of acquiring a raw blacklist further comprises computer program instructions comprising: accessing at least one reputation system.

11. The non-transitory computer readable medium of claim 7 , wherein the computer program instructions defining the step of generating a network blacklist further comprises computer program instructions comprising: populating a filter table with the top prefix groups.

12. The non-transitory computer readable medium of claim 7 , wherein the computer program instructions defining the step of generating a network blacklist further comprises computer program instructions comprising: acquiring a raw blacklist comprising a third plurality of internet protocol addresses identifying a third plurality of unwanted traffic sources; sorting the third plurality of internet protocol addresses according to prefix groups with a network-specified prefix length; analyzing traffic patterns within each prefix group generating prefix subgroups based at least on the prefix groups and the analyzed traffic patterns; rank ordering the prefix subgroups according to traffic frequency; and selecting the top network-specified prefix subgroups.